Documentation ¶
Index ¶
- Constants
- Variables
- func GCPProjectIDFromJSON(jsonData []byte) (string, error)
- type AWSIntegration
- func (a *AWSIntegration) Externalize() *AWSIntegrationExternal
- func (a *AWSIntegration) GetBearerToken(getTokenCache GetTokenCacheFunc, setTokenCache SetTokenCacheFunc) (string, error)
- func (a *AWSIntegration) GetSession() (*session.Session, error)
- func (a *AWSIntegration) PopulateAWSArn() error
- func (a *AWSIntegration) ToProjectIntegration(category string, service IntegrationService) *ProjectIntegration
- type AWSIntegrationExternal
- type BasicIntegration
- type BasicIntegrationExternal
- type ClusterTokenCache
- type GCPIntegration
- func (g *GCPIntegration) Externalize() *GCPIntegrationExternal
- func (g *GCPIntegration) GetBearerToken(getTokenCache GetTokenCacheFunc, setTokenCache SetTokenCacheFunc, ...) (string, error)
- func (g *GCPIntegration) ToProjectIntegration(category string, service IntegrationService) *ProjectIntegration
- type GCPIntegrationExternal
- type GetTokenCacheFunc
- type HelmRepoTokenCache
- type IntegrationService
- type KubeIntegration
- type KubeIntegrationExternal
- type KubeIntegrationName
- type OAuthIntegration
- type OAuthIntegrationClient
- type OAuthIntegrationExternal
- type OIDCIntegration
- type OIDCIntegrationClient
- type OIDCIntegrationExternal
- type PorterIntegration
- type ProjectIntegration
- type RegTokenCache
- type SetTokenCacheFunc
- type TokenCache
Constants ¶
const ( KubeX509 KubeIntegrationName = "x509" KubeBasic = "basic" KubeBearer = "bearer" KubeLocal = "local" )
The supported kube auth mechanisms
Variables ¶
var PorterClusterIntegrations = []PorterIntegration{ PorterIntegration{ AuthMechanism: "gcp", Category: "cluster", Service: GKE, }, PorterIntegration{ AuthMechanism: "aws", Category: "cluster", Service: EKS, }, PorterIntegration{ AuthMechanism: "kube", Category: "cluster", Service: Kube, }, }
PorterClusterIntegrations are the supported cluster integrations
var PorterGitRepoIntegrations = []PorterIntegration{ PorterIntegration{ AuthMechanism: "oauth", Category: "repo", Service: Github, }, }
PorterGitRepoIntegrations are the supported git repo integrations
var PorterHelmRepoIntegrations = []PorterIntegration{ PorterIntegration{ AuthMechanism: "basic", Category: "helm", Service: HelmRepo, }, PorterIntegration{ AuthMechanism: "gcp", Category: "helm", Service: GCS, }, PorterIntegration{ AuthMechanism: "aws", Category: "helm", Service: S3, }, }
PorterHelmRepoIntegrations are the supported helm repo integrations
var PorterRegistryIntegrations = []PorterIntegration{ PorterIntegration{ AuthMechanism: "gcp", Category: "registry", Service: GCR, }, PorterIntegration{ AuthMechanism: "aws", Category: "registry", Service: ECR, }, PorterIntegration{ AuthMechanism: "oauth", Category: "registry", Service: Docker, }, }
PorterRegistryIntegrations are the supported registry integrations
Functions ¶
func GCPProjectIDFromJSON ¶
Types ¶
type AWSIntegration ¶
type AWSIntegration struct { gorm.Model // The id of the user that linked this auth mechanism UserID uint `json:"user_id"` // The project that this integration belongs to ProjectID uint `json:"project_id"` // The AWS arn this is integration is linked to AWSArn string `json:"aws_arn"` // The optional AWS region (required by some session configurations) AWSRegion string `json:"aws_region"` // The AWS cluster ID // See https://github.com/kubernetes-sigs/aws-iam-authenticator#what-is-a-cluster-id AWSClusterID []byte `json:"aws_cluster_id"` // The AWS access key for this IAM user AWSAccessKeyID []byte `json:"aws_access_key_id"` // The AWS secret key for this IAM user AWSSecretAccessKey []byte `json:"aws_secret_access_key"` // An optional session token, if the user is assuming a role AWSSessionToken []byte `json:"aws_session_token"` }
AWSIntegration is an auth mechanism that uses a AWS IAM user to authenticate
func (*AWSIntegration) Externalize ¶
func (a *AWSIntegration) Externalize() *AWSIntegrationExternal
Externalize generates an external KubeIntegration to be shared over REST
func (*AWSIntegration) GetBearerToken ¶
func (a *AWSIntegration) GetBearerToken( getTokenCache GetTokenCacheFunc, setTokenCache SetTokenCacheFunc, ) (string, error)
GetBearerToken retrieves a bearer token for an AWS account
func (*AWSIntegration) GetSession ¶
func (a *AWSIntegration) GetSession() (*session.Session, error)
GetSession retrieves an AWS session to use based on the access key and secret access key
func (*AWSIntegration) PopulateAWSArn ¶
func (a *AWSIntegration) PopulateAWSArn() error
PopulateAWSArn uses the access key/secret to get the caller identity, and attaches it to the AWS integration
func (*AWSIntegration) ToProjectIntegration ¶
func (a *AWSIntegration) ToProjectIntegration( category string, service IntegrationService, ) *ProjectIntegration
ToProjectIntegration converts an aws integration to a project integration
type AWSIntegrationExternal ¶
type AWSIntegrationExternal struct { ID uint `json:"id"` // The id of the user that linked this auth mechanism UserID uint `json:"user_id"` // The project that this integration belongs to ProjectID uint `json:"project_id"` // The AWS arn this is integration is linked to AWSArn string `json:"aws_arn"` }
AWSIntegrationExternal is a AWSIntegration to be shared over REST
type BasicIntegration ¶
type BasicIntegration struct { gorm.Model // The id of the user that linked this auth mechanism UserID uint `json:"user_id"` // The project that this integration belongs to ProjectID uint `json:"project_id"` // Username/Password for basic authentication to a cluster Username []byte `json:"username,omitempty"` Password []byte `json:"password,omitempty"` }
BasicIntegration represents a basic auth mechanism via username/password
func (*BasicIntegration) Externalize ¶
func (b *BasicIntegration) Externalize() *BasicIntegrationExternal
Externalize generates an external BasicIntegration to be shared over REST
func (*BasicIntegration) ToProjectIntegration ¶
func (b *BasicIntegration) ToProjectIntegration( category string, service IntegrationService, ) *ProjectIntegration
ToProjectIntegration converts an oauth integration to a project integration
type BasicIntegrationExternal ¶
type BasicIntegrationExternal struct { ID uint `json:"id"` // The id of the user that linked this auth mechanism UserID uint `json:"user_id"` // The project that this integration belongs to ProjectID uint `json:"project_id"` }
BasicIntegrationExternal is a BasicIntegration to be shared over REST
type ClusterTokenCache ¶
type ClusterTokenCache struct { TokenCache ClusterID uint `json:"cluster_id"` }
ClusterTokenCache is a token cache that clusters can use; a foreign key constraint between a Cluster and ClusterTokenCache is created
type GCPIntegration ¶
type GCPIntegration struct { gorm.Model // The id of the user that linked this auth mechanism UserID uint `json:"user_id"` // The project that this integration belongs to ProjectID uint `json:"project_id"` // The GCP project id where the service account for this auth mechanism persists GCPProjectID string `json:"gcp_project_id"` // The GCP user email that linked this service account GCPUserEmail string `json:"gcp-user-email"` // The GCP region, which may or may not be used by the integration GCPRegion string `json:"gcp_region"` // KeyData for a service account for GCP connectors GCPKeyData []byte `json:"gcp_key_data"` }
GCPIntegration is an auth mechanism that uses a GCP service account to authenticate
func (*GCPIntegration) Externalize ¶
func (g *GCPIntegration) Externalize() *GCPIntegrationExternal
Externalize generates an external KubeIntegration to be shared over REST
func (*GCPIntegration) GetBearerToken ¶
func (g *GCPIntegration) GetBearerToken( getTokenCache GetTokenCacheFunc, setTokenCache SetTokenCacheFunc, scopes ...string, ) (string, error)
GetBearerToken retrieves a bearer token for a GCP account
func (*GCPIntegration) ToProjectIntegration ¶
func (g *GCPIntegration) ToProjectIntegration( category string, service IntegrationService, ) *ProjectIntegration
ToProjectIntegration converts a gcp integration to a project integration
type GCPIntegrationExternal ¶
type GCPIntegrationExternal struct { ID uint `json:"id"` // The id of the user that linked this auth mechanism UserID uint `json:"user_id"` // The project that this integration belongs to ProjectID uint `json:"project_id"` // The GCP project id where the service account for this auth mechanism persists GCPProjectID string `json:"gcp-project-id"` // The GCP user email that linked this service account GCPUserEmail string `json:"gcp-user-email"` }
GCPIntegrationExternal is a GCPIntegration to be shared over REST
type GetTokenCacheFunc ¶
type GetTokenCacheFunc func() (tok *TokenCache, err error)
GetTokenCacheFunc is a function that retrieves the token and expiry time from the db
type HelmRepoTokenCache ¶
type HelmRepoTokenCache struct { TokenCache HelmRepoID uint `json:"helm_repo_id"` }
HelmRepoTokenCache is a token cache that helm repos can use; a foreign key constraint between a HelmRepo and HelmRepoTokenCache is created
type IntegrationService ¶
type IntegrationService string
IntegrationService is the name of a third-party service
const ( GKE IntegrationService = "gke" GCS IntegrationService = "gcs" S3 IntegrationService = "s3" HelmRepo IntegrationService = "helm" EKS IntegrationService = "eks" Kube IntegrationService = "kube" GCR IntegrationService = "gcr" ECR IntegrationService = "ecr" DOCR IntegrationService = "docr" Github IntegrationService = "github" Docker IntegrationService = "docker" )
The list of supported third-party services
type KubeIntegration ¶
type KubeIntegration struct { gorm.Model // The name of the auth mechanism Mechanism KubeIntegrationName `json:"mechanism"` // The id of the user that linked this auth mechanism UserID uint `json:"user_id"` // The project that this integration belongs to ProjectID uint `json:"project_id"` // Certificate data is used by x509 auth mechanisms over TLS ClientCertificateData []byte `json:"client-certificate-data,omitempty"` ClientKeyData []byte `json:"client-key-data,omitempty"` // Token is used for bearer-token auth mechanisms Token []byte `json:"token,omitempty"` // Username/Password for basic authentication to a cluster Username []byte `json:"username,omitempty"` Password []byte `json:"password,omitempty"` // The raw kubeconfig, used by local auth mechanisms Kubeconfig []byte `json:"kubeconfig"` }
KubeIntegration represents the kube-native auth mechanisms: using x509 certs, basic (username/password), bearer tokens, or local (using local kubeconfig)
func (*KubeIntegration) Externalize ¶
func (k *KubeIntegration) Externalize() *KubeIntegrationExternal
Externalize generates an external KubeIntegration to be shared over REST
func (*KubeIntegration) ToProjectIntegration ¶
func (k *KubeIntegration) ToProjectIntegration( category string, service IntegrationService, ) *ProjectIntegration
ToProjectIntegration converts a gcp integration to a project integration
type KubeIntegrationExternal ¶
type KubeIntegrationExternal struct { ID uint `json:"id"` // The name of the auth mechanism Mechanism KubeIntegrationName `json:"mechanism"` // The id of the user that linked this auth mechanism UserID uint `json:"user_id"` // The project that this integration belongs to ProjectID uint `json:"project_id"` }
KubeIntegrationExternal is a KubeIntegration to be shared over REST
type KubeIntegrationName ¶
type KubeIntegrationName string
KubeIntegrationName is the name of a kube auth mechanism
type OAuthIntegration ¶
type OAuthIntegration struct { gorm.Model // The name of the auth mechanism Client OAuthIntegrationClient `json:"client"` // The id of the user that linked this auth mechanism UserID uint `json:"user_id"` // The project that this integration belongs to ProjectID uint `json:"project_id"` // The ID issued to the client ClientID []byte `json:"client-id"` // The end-users's access token AccessToken []byte `json:"access-token"` // The end-user's refresh token RefreshToken []byte `json:"refresh-token"` }
OAuthIntegration is an auth mechanism that uses oauth https://tools.ietf.org/html/rfc6749
func (*OAuthIntegration) Externalize ¶
func (o *OAuthIntegration) Externalize() *OAuthIntegrationExternal
Externalize generates an external KubeIntegration to be shared over REST
func (*OAuthIntegration) ToProjectIntegration ¶
func (o *OAuthIntegration) ToProjectIntegration( category string, service IntegrationService, ) *ProjectIntegration
ToProjectIntegration converts an oauth integration to a project integration
type OAuthIntegrationClient ¶
type OAuthIntegrationClient string
OAuthIntegrationClient is the name of an OAuth mechanism client
const ( OAuthGithub OAuthIntegrationClient = "github" OAuthDigitalOcean OAuthIntegrationClient = "do" )
The supported oauth mechanism clients
type OAuthIntegrationExternal ¶
type OAuthIntegrationExternal struct { ID uint `json:"id"` // The name of the auth mechanism Client OAuthIntegrationClient `json:"client"` // The id of the user that linked this auth mechanism UserID uint `json:"user_id"` // The project that this integration belongs to ProjectID uint `json:"project_id"` }
OAuthIntegrationExternal is an OAuthIntegration to be shared over REST
type OIDCIntegration ¶
type OIDCIntegration struct { gorm.Model // The name of the auth mechanism Client OIDCIntegrationClient `json:"client"` // The id of the user that linked this auth mechanism UserID uint `json:"user_id"` // The project that this integration belongs to ProjectID uint `json:"project_id"` // The "Issuer Identifier" of the OIDC spec (16.15) IssuerURL []byte `json:"idp-issuer-url"` // The ID issued to the Relying Party ClientID []byte `json:"client-id"` // The secret issued to the Relying Party // // This is present because it used to be a required field in a kubeconfig. // However, because the kube apiserver acts as a Relying Party, the client // secret is not necessary. ClientSecret []byte `json:"client-secret"` // The CA data -- certificate check must be performed (16.17) CertificateAuthorityData []byte `json:"idp-certificate-authority-data"` // The user's JWT id token IDToken []byte `json:"id-token"` // The user's refresh token RefreshToken []byte `json:"refresh-token"` }
OIDCIntegration is an auth mechanism that uses oidc. Spec: https://openid.net/specs/openid-connect-core-1_0.html
func (*OIDCIntegration) Externalize ¶
func (o *OIDCIntegration) Externalize() *OIDCIntegrationExternal
Externalize generates an external KubeIntegration to be shared over REST
func (*OIDCIntegration) ToProjectIntegration ¶
func (o *OIDCIntegration) ToProjectIntegration( category string, service IntegrationService, ) *ProjectIntegration
ToProjectIntegration converts a gcp integration to a project integration
type OIDCIntegrationClient ¶
type OIDCIntegrationClient string
OIDCIntegrationClient is the name of an OIDC auth mechanism client
const (
OIDCKube OIDCIntegrationClient = "kube"
)
The supported OIDC auth mechanism clients
type OIDCIntegrationExternal ¶
type OIDCIntegrationExternal struct { ID uint `json:"id"` // The name of the auth mechanism Client OIDCIntegrationClient `json:"client"` // The id of the user that linked this auth mechanism UserID uint `json:"user_id"` // The project that this integration belongs to ProjectID uint `json:"project_id"` }
OIDCIntegrationExternal is a OIDCIntegration to be shared over REST
type PorterIntegration ¶
type PorterIntegration struct { AuthMechanism string `json:"auth_mechanism"` Category string `json:"category"` Service IntegrationService `json:"service"` }
PorterIntegration is a supported integration service, specifying an auth mechanism and the category of integration. A single service can have multiple auth mechanisms. For example, a GKE integration can have both an "oauth" mechanism and a "gcp" mechanism:
PorterIntegration{ AuthMechanism: "oauth", Category: "cluster", Service: GKE, }
PorterIntegration{ AuthMechanism: "gcp", Category: "cluster", Service: GKE, }
type ProjectIntegration ¶
type ProjectIntegration struct { ID uint `json:"id"` ProjectID uint `json:"project_id"` AuthMechanism string `json:"auth_mechanism"` Category string `json:"category"` Service IntegrationService `json:"service"` }
ProjectIntegration is the top-level integration object for various integrations. Although the integrations are stored in the DB by auth mechanism, the integrations are cast to a ProjectIntegration for consolidation before passing on to the client.
type RegTokenCache ¶
type RegTokenCache struct { TokenCache RegistryID uint `json:"registry_id"` }
RegTokenCache stores a token and an expiration for the JWT token for a Docker registry. This will never be shared over REST, so no need to externalize.
type SetTokenCacheFunc ¶
SetTokenCacheFunc is a function that updates the token cache with a new token and expiry time
type TokenCache ¶
type TokenCache struct { gorm.Model Expiry time.Time `json:"expiry,omitempty"` Token []byte `json:"access_token"` }
TokenCache stores a token and an expiration for the token for a service account. This will never be shared over REST, so no need to externalize.
func (*TokenCache) IsExpired ¶
func (t *TokenCache) IsExpired() bool
IsExpired returns true if a token is expired, false otherwise